From: Scott Morris (smorris@ipexpert.com)
Date: Thu May 15 2008 - 22:24:47 ART
Isn't the same true of many protocols? If I send a request out for a web
page, it's sourced originally from an ephemeral port (>1023) to a
destination port of 80. The incoming packet on my router from the Internet
would have a source port of 80 and destination of whatever the random port
was.
You can predict the direction traffic will flow based on the RFC information
for BGP! :)
The conversation is initiated by the BGP speaker with the higher BGP
Identifier. Section 6.8 "Connection collision detection" spells this
concept out.
So you really don't need to have both statements. Or at least you'll find
that one has hits and the other doesn't during normal operation!
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Matt
Bentley
Sent: Thursday, May 15, 2008 9:13 PM
To: Scott Morris
Cc: ccieking@gmail.com; ccielab@groupstudy.com
Subject: Re: access-list
Hello:
I had trouble with this one for a long time too. Source verses destination
is exactly correct, but to elaborate.....
R1 (TCP Port 179) ---------------------------R2 (TCP Port 179) The first
statement (permit tcp any eq bgp any) would match BGP traffic going from R1
to R2 The second statement (permit tcp any any eq bgp) would match BGP
traffic going from R2 to R1.
BGP is a little funny in this way - the sender sources traffic from TCP port
179 - but the destination port is random.
This is why whenever you're allowing BGP through an ACL you have to do both
statements, instead of a single one as in RIP/OSPF/EIGRP (ie permit udp any
any eq rip)
HTH
Matt Bentley
On Thu, May 15, 2008 at 9:03 PM, Scott Morris <smorris@ipexpert.com> wrote:
> Source vs. destination
>
>
> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.
> html#w
> p1013358<http://www.cisco.com/en/US/docs/ios/security/command/referenc
> e/sec_a2.html#wp1013358>
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE-M #153, JNCIS-ER, CISSP, et al.
> CCSI/JNCI-M/JNCI-ER
> VP - Technical Training - IPexpert, Inc.
> IPexpert Sr. Technical Instructor
>
> smorris@ipexpert.com
>
>
>
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> http://www.ipexpert.com
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of ccieking@gmail.com
> Sent: Thursday, May 15, 2008 7:01 PM
> To: ccielab@groupstudy.com
> Subject: access-list
>
> Hi experts
>
> what is the difference between these two access-list
>
> permit tcp any any eq bgp
> permit tcp any eq bgp any
>
> can anyone explain me?
>
> regards
> Richard
>
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:16 ART